Ransomware WannaCry causes fewer tears than feared

It’s been a week since the WannaCry ransomware attack began infecting computers running Windows software. And things are strangely silent again. It’s almost as if the wake-up call that WannaCry set off was heard by global IT managers – and then those IT managers hit the snooze button.

In a way, that’s not a bad thing. The cybersecurity community worked quickly and effectively to defuse the threat, while the kill switch demanded by digital kidnappers, Bitcoin, proved more difficult to manage than life without an infected computer.

As of late Friday, after many of the deadlines threatening data deletion had passed, few victims had paid ransoms. According to Elliptic Enterprises, only about $94,000 worth of ransoms had been paid via Bitcoin, which works out to less than one in a thousand of the 300,000 victims who were reportedly affected by WannaCry. So we’re safe… right?

Looking back with the benefit of a week’s hindsight, two lessons are apparent.

First, the story of the WannaCry attack is the stuff of cyberthrillers. Based on tools developed by the National Security Agency, WannaCry spread through phishing emails containing job offers, invoices, or security warnings. The malware infected as many as 300,000 computers, the vast majority of them using Windows 7 but apparently not running Windows Update, which might have installed onto the vulnerable PCs a patch Microsoft created in March.

Infected computers ranged from companies like FedEx to the hospitals of Britain’s National Health Service, raising the stakes of the attack from a corporate headache to a potentially life-and-death matter. Meanwhile, in a sleepy British seaside town, a 22-year-old researcher named Marcus Hutchins helped slow the malware’s spread early Saturday by discovering, and then registering, a domain name inside its code.

On Monday, reports of the ransomware caught fire. Stocks in the cybersecurity sector, predictably, rallied. Google Trends – a crude but useful measure of interest in the story – shows interest spiking on Monday, as the business world returned to work and booted up their PCs. It has since steadily declined, to the point where software security is once again becoming something of an afterthought. As the New York Times pointed out, many IT managers are calling the WannaCry hackers’ bluff.

That blithe spirit is bolstered by a vulnerability that researchers in France discovered and deployed to unlock computers infected with WannaCry (with caveats – victims can’t reboot their ill computers, and they can’t keep them running too long while infected.) That’s the good news: The overall response of the cybersecurity community has been strong enough to save many of the companies and organizations that kept hitting the snooze button on every wake-up call.

Which brings us to the second lesson. While not as bad as feared, ransomware (not to mention cybersecurity threats in general) isn’t going away. Wired reported that the domain registered by Hutchins has been under intense denial-of-service attacks by an army of IoT devices marshaled, zombie-like, by Mirai.

Mirai was the botnet that made news last fall by taking down sites like Spotify, Twitter, Reddit, Netflix, etc., thanks to unsecured IoT devices. So here’s Act II of this month’s cyberthriller: A highly effective hacking front is turning its efforts to free another semi-effective hacking initiative contained by the white-hat cybersecurity community. Fall back asleep, and this may quickly turn into a nightmare.

Malignant hacking campaigns are every bit as incremental as the software iterations being perfected by Facebook, that corporate entity headquartered on Hacker Way. Both set a mountaintop goal and will charge back up again, and again, no matter how many failures it takes. Both learn, AI-like, by seeing what works and what doesn’t. And then adapts accordingly.

And now for Act III. The Hollywood narrative calls for the cybersecurity community to respond. How? (For starters, I’d suggest quashing the name cybersecurity – even “digital security” sounds better. ’90s terms like “cyber” are so, um, 1990s). But that depends on two things. First, cybersecurity needs to take itself seriously. Sophos, for example, failed to update its antivirus software to block WannaCry until a few hours after it infected clients, Reuters reported.

Second, IT managers have to stop putting off the inevitable – when the inevitable involves a data breach that will affect a company’s technology, brand and – above all – customers.

“I don’t want to sound alarmist, but I think we’re just seeing the tip of the iceberg – the number of cybersecurity incidents in coming years is going to multiply,” Dimitri Stiliadis told VentureBeat after his company Aporeto was one of several cloud security startups to receive funding this week. “The root cause is, if you think about how businesses develop software, security is often the last thing they want to think about because it’s not a revenue-generating function.”

If there’s anything we’ve learned in this past week, it’s that IT teams have seen security as an afterthought for too long. A lot of IT networks dodged a bullet, thanks in part to quick countermeasures from the digital-security community, but mostly because employees have learned not to bite on phishbait. WannaCry turned out to be a short-term sob fest. It’s up to corporate IT managers to make sure it doesn’t become an occasion for grieving.